Re: New Critical RPC Vulnerability

[Omar Herrera <omar_herrera () BANXICO ORG MX>]

Well,

 

I can confirm that there exists allready an exploit (I found the chinese
exploit being referentes by the ISS advisory), it’s old: 30 july. This
one only DoSes win 2000 machines; I tested the exploit with Win 2000,
SP3 and the MS03-026 patch and RPC service died immediately; after
applying the patch mentioned on MS03-039 the RPC service resisted the
attack.

 

It is important to mention that, although the attack is on RPC/DCOM, it
is not directly related to MS03-026 they are different (different
vulnerabilities).

 

I couldn’t find any code for Win XP, but eeye is giving enough technical
information on this vulnerability that a new exploit will surface as
soon as next week (look at the timeline of Blaster, do the math and the
results are not too encouraging). 

 

Just remember something: not reacting on time is as bad as overreacting
(I believe that many problems will arise by over-reactions). Try to test
the patch as much as you can before deployment (but be ready to deploy
fast…)

 

Regards,

 

Omar Herrera, CISSP

 

Instituto Tecnológico y de Estudios Superiores de Monterrey, 

Mexico City Campus 

Information security topic and laboratory

 

 

-----Mensaje original-----
De: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] En nombre de Angel L Cruz
Enviado el: Miércoles, 10 de Septiembre de 2003 12:01 PM
Para: SECURITY () LISTSERV EDUCAUSE EDU
Asunto: [SECURITY] New Critical RPC Vulnerability
Importancia: Alta

 

Colleagues:

 

I’m afraid we have another critical MS Vulnerability notice:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp.

 

Impacted include Windows NT, Windows 2000, Windows XP, Windows 2003.

 

Not impacted include Windows 95/98/ME/SE, Mac OS, UNIX, LINUX, other
commercial systems.

 

Actual patch has just been placed online and supercedes other RPC
patches (if you have patched for MS03-026, apply MS03-039; if you have
not applied MS03-026, just apply MS03-039 to fix both issues at once).

 

Recommend you review the notice and related knowledge base article
824146 as soon as possible for action planning.

 

MS has posted a tool for finding vulnerable systems at
http://support.microsoft.com/?kbid=827363.

 

We are not aware of exploit code out yet, but it should follow very soon
-- more news to follow.

 

-Angel

 

 

Mr. Angel L. Cruz, BS

Director & University ISO

ITS - Information Security Office

The University of Texas at Austin

1 University Station, #G0900

Austin, Texas 78712-0557

(512) 475-9462

cruz () austin utexas edu

 

++++++++++++++++++++++++++++++++++++++++++++
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. If you are not the named addressee you should not
distribute or copy this e-mail. Please notify the sender immediately if
you have received this e-mail by mistake and delete this e-mail from
your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on
the contents of this information is prohibited.
++++++++++++++++++++++++++++++++++++++++++++

 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.